https://foundation.xyz/?ref=kazani

An Analysis of GrapheneOS's Server Infrastructure https://write.as/hcbg2iz91vzqh GrapheneOS maintains a highly secure mobile operating system, yet its supporting server infrastructure reveals significant inconsistencies with the project's stated privacy values. Despite claims of a transition in leadership, evidence suggests that Daniel Micay remains the central figure, as he is listed as the sole funding recipient and continues to be identified in corporate records as a director. The project's server infrastructure relies on Arch Linux, a rolling-release distribution that lacks the immutability and verified boot features prioritized in the phone's security model. Contrary to the project's philosophy of minimizing attack surfaces, GrapheneOS servers are configured with full software suites, including unnecessary tools like compilers and package managers. GrapheneOS built a global DNS network to ensure independence, yet public configuration files reveal that all queries are forwarded to Cloudflare, exposing user traffic to third-party monitoring. The project migrated its hosting from France to the United States to avoid EU surveillance legislation, despite the U.S. having an expansive surveillance apparatus and legal frameworks like FISA. The project suffers from a low 'bus factor,' as critical infrastructure and update signing keys appear to be controlled by a single individual rather than a distributed organization. There is a notable discrepancy between the rigorous adversarial security of the GrapheneOS mobile OS and the pragmatic, less secure approach taken toward its server scaffolding. While GrapheneOS provides robust mobile security through features like the Titan chip and memory hardening, its community infrastructure lacks demonstrated redundancy or succession planning. GrapheneOS functions more as an individual's project serving 400,000 users rather than the collective, board-governed organization suggested by its public framing.

Proton Mail now allows you to connect Gmail accounts directly to its platform. https://proton.me/blog/proton-mail-connect-gmail Proton Mail, the renowned service focused on email privacy has enabled a feature that makes it easy for users to link their Gmail accounts directly within the Proton service. This allows users to manage messages, send emails using their Gmail address, and automatically receive new messages from that account directly in their Proton Mail inbox. This option is particularly appealing to those who wish to start using a more privacy-respecting service without abruptly abandoning their Gmail address—whether out of necessity or for any other reason. Incoming emails are stripped of trackers, ads, and spam; furthermore, when sent to other Proton users, they remain protected against external access. Additionally, this feature allows users to centralize everything in a single location while transitioning services gradually. The connection process is initiated via the account settings menu, and the feature is currently being rolled out gradually to all users. While this offers an interesting transitional solution for some users, it is worth noting that Google continues to scan emails arriving at the original Gmail account; consequently, this feature does not eliminate the inherent privacy concerns associated with that service. Proton previously allowed users to link or import emails from Gmail using its migration tools; however, those tools only retrieved existing messages either manually or in batches. Now, users can also send emails using their Gmail address directly from the Proton interface.

DO NOT use Telegram in sensitive applications Telegram's MTProto: Assessing Deanonymization Potential for a Network Attacker blackGNMX-01 https://symbolic.software/pdf/gnmx-01.pdf Telegram's MTProto protocol transmits the auth_key_id, a persistent 64-bit device identifier, in cleartext or trivially obfuscated form. Both Telegram for Android and Telegram Desktop transmit MTProto over unencrypted TCP connections, despite the availability of secure transport alternatives. The auth_key_id remains constant across application restarts, network changes, and extended periods, enabling long-term device tracking by any passive network observer. The vulnerability exists at the transport layer, meaning it affects all Telegram users, including those utilizing end-to-end encrypted Secret Chats or Perfect Forward Secrecy. Perfect Forward Secrecy does not prevent tracking because temporary authorization keys are observable and linkable across key rotations through timing and session correlation. The use of port 443 by Telegram Desktop creates a deceptive appearance of security, as it does not implement actual TLS encryption, potentially misleading users and automated security tools. Passive network observers, such as ISPs, network administrators, and state-level actors, can extract these identifiers without needing active attacks or protocol manipulation. The persistence of the auth_key_id undermines anonymity tools like VPNs, as the identifier remains constant even when routing through such services. Telegram is architecturally responsible for this vulnerability due to its decision to forgo mandatory transport-layer encryption, a standard practice for other messaging platforms. The recommended technical solution is for Telegram to implement mandatory TLS for all MTProto connections, which would effectively eliminate the tracking capability with minimal impact.